Skip to main content

diagrid mcpserver access test

Test whether a caller is allowed to call a tool on an MCP server

Description

Test whether a caller is allowed to call a tool on an MCP server.

The server's access policy is read from the control plane and evaluated locally using the same OPA middleware the sidecar enforces with, so the verdict matches what runtime enforcement would decide for that tools/call. No call is made to the MCP server itself.

diagrid mcpserver access test <mcpserver> [flags]

Examples


# Check whether agent-a is allowed to call the "query" tool on my-mcp.
diagrid mcpserver access test my-mcp --project my-project --caller agent-a --tool query

# Check the any-caller grant.
diagrid mcpserver access test my-mcp --project my-project --caller '*' --tool query

Options

-p, --project string Name of existing project
--caller string App ID of the caller to simulate (use '*' to test the any-caller grant)
--tool string Name of the tool the caller attempts to call
-o, --output string Output format, supported [table, yaml, json] (default "table")
-h, --help help for test

Options inherited from parent commands

--api-key string Diagrid Cloud API key

SEE ALSO